26–27 September 2017

Tokyo, Japan

How not to handle being hacked

In November 2015, toy maker VTech suffered a serious data breach that compromised the personal details of 11 million of its customers, more than 6 million of whom were children. Unencrypted data lost included names, addresses, email addresses, download history and secret security questions. The account passwords themselves had been encrypted, but weakly using the inadequate MD5 hash.

So far so bad. As a toy manufacturer, it’s reasonable to assume that VTech does not have the same strength and depth in information security that one might expect from say, a bank or a nuclear facility. But as with the automotive industry, once a business starts introducing connected features and services as a product benefit, it must accept responsibility for keeping the resulting personal data safe and private. That includes taking every reasonable precaution to protect against the full spectrum of known threats, with all the expense and management time that entails.

So how did VTech respond? Well they issued the press release that many other companies have found themselves having to issue, including the assurance that they,

“immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks”.

Interestingly, there was no press release heralding their next action. The company quietly updated its terms and conditions adding the following disclaimer:

“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties. You acknowledge and agree that your use of the site and any software or firmware downloaded therefrom is at your own risk.”

“Recognising such, you understand and agree that, to the fullest extent permitted by applicable law, neither VTech or its suppliers […] will be liable to you for any direct, indirect, incidental, special, consequential, punitive, exemplary or other damages of any kind…”

In other words: I pay to use your service; you get breached because the security you put in place isn’t up to scratch; my privacy is compromised; it’s my problem, not yours.

Good luck making that argument in a court of law in most industrialised economies.

Good luck with the sales too. What parent would feel even remotely comfortable buying a toy from a company that blatantly and unapologetically tells them they shouldn't have any expectation of privacy?

This must be quite close to a perfect illustration of what companies should NOT do following a data breach – ie shift the burden of responsibility on to the customer, instead of owning it within the company, taking specific action and communicating the effect of that action to reassure your customers and protect your brand.

Watch what happens when the BBC’s technology correspondent questioned VTech representatives at a trade show a couple of days ago.

I have a feeling this will make it into a few media training videos.

There are few (if any) absolutes in security. Even the best systems carry some tiny risk of being compromised. But whether you’re making toy cars or real cars, strong security is ultimately a burden to be borne by the manufacturer making the product or providing the service.

I for one hope VTech stick to toy cars.